July 18, 2023THNMoreMalware/Cyberattack

An unidentified attacker compromised applications used by several Pakistani organizations and delivered ShadowPad, the successor to the PlugX backdoor commonly associated with Chinese hacking groups.

According to Trend Micro, targets included Pakistani government agencies, public sector banks, and telecom providers. Infection occurred between mid-February 2022 and September 2022.

The cybersecurity firm said the incident could have been the result of a supply chain attack. The attack trojanizes the legitimate software used by the victim and deploys malware that can gather sensitive information from the compromised system.

The attack chain comes in the form of a malicious installer. electronic officeis an application developed by the Pakistan National Information Technology Board (NITB) to assist in going paperless in the government sector.

It is currently unknown how the backdoor E-Office installer was delivered to the target. That said, there is currently no evidence that the build environment of the Pakistani government agency in question has been compromised.

This makes it more likely that the attacker obtained a legitimate installer and modified it to include the malware, then lured the victim into running the trojanized version through a social engineering attack.

“Three files have been added to the legitimate MSI installer: Telerik.Windows.Data.Validation.dll, mscoree.dll and mscoree.dll.dat,” said Trend Micro researcher Daniel Lunghi. Said In the latest analysis published today.

Telerik.Windows.Data.Validation.dll is a valid applaunch.exe file signed by Microsoft. Sideloading DLLs Used to sideload mscoree.dll, which loads mscoree.dll.dat. ShadowPad payload.

Trend Micro reported that the obfuscation techniques used to hide the DLL and the decrypted last-stage malware were identified as Positive in January 2021 in connection with Chinese cyber espionage operations conducted by the Winnti group (aka APT41). Said to be an evolution of the approach previously published by Technologies.

upcoming webinars

Shielding Against Insider Threats: Mastering SaaS Security Posture Management

Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.

join today

Besides ShadowPad, post-exploitation activities involve the use of: Mimi Katz Dump passwords and credentials from memory.

While the identification of known threat actors is hampered by a lack of evidence, a cybersecurity firm has announced that it has discovered malware samples such as Deed RAT believed to be from a space pirate (or webworm) threat actor.

“This entire campaign involved highly capable actors acquiring and modifying government application installers to compromise at least three sensitive targets,” said Lunghi.

“The fact that this threat actor has access to the latest version of ShadowPad may be related to its ties to Chinese threat actors, but we cannot confidently point to a specific group. ”

Did you enjoy this article? Follow us twitter and LinkedIn To read more of the exclusive content we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog